Analysis
-
max time kernel
54s -
max time network
183s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
13-03-2023 05:06
Behavioral task
behavioral1
Sample
84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe
Resource
win7-20230220-en
General
-
Target
84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe
-
Size
3.0MB
-
MD5
a8a106555b9e1f92569d623c66ee8c12
-
SHA1
a5080c26b5f5911c10d80654c84239a226fc75d1
-
SHA256
84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a
-
SHA512
9b9813b0b47e84523fc96cc427aa234d4533e77483ddf28dae35449570373370fdde4380877870aca634a9746b58743ea3c1d9ea31d7162d61d645ca58f60b26
-
SSDEEP
49152:3WjN903V68U3f1uXAlL/EUSiITRf+EGg7dyvUCUDaB5+Tc6k1HFm:3IrIVbUYiLs4vUCU5T0w
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exeWMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 4048 wmic.exe Token: SeSecurityPrivilege 4048 wmic.exe Token: SeTakeOwnershipPrivilege 4048 wmic.exe Token: SeLoadDriverPrivilege 4048 wmic.exe Token: SeSystemProfilePrivilege 4048 wmic.exe Token: SeSystemtimePrivilege 4048 wmic.exe Token: SeProfSingleProcessPrivilege 4048 wmic.exe Token: SeIncBasePriorityPrivilege 4048 wmic.exe Token: SeCreatePagefilePrivilege 4048 wmic.exe Token: SeBackupPrivilege 4048 wmic.exe Token: SeRestorePrivilege 4048 wmic.exe Token: SeShutdownPrivilege 4048 wmic.exe Token: SeDebugPrivilege 4048 wmic.exe Token: SeSystemEnvironmentPrivilege 4048 wmic.exe Token: SeRemoteShutdownPrivilege 4048 wmic.exe Token: SeUndockPrivilege 4048 wmic.exe Token: SeManageVolumePrivilege 4048 wmic.exe Token: 33 4048 wmic.exe Token: 34 4048 wmic.exe Token: 35 4048 wmic.exe Token: 36 4048 wmic.exe Token: SeIncreaseQuotaPrivilege 4048 wmic.exe Token: SeSecurityPrivilege 4048 wmic.exe Token: SeTakeOwnershipPrivilege 4048 wmic.exe Token: SeLoadDriverPrivilege 4048 wmic.exe Token: SeSystemProfilePrivilege 4048 wmic.exe Token: SeSystemtimePrivilege 4048 wmic.exe Token: SeProfSingleProcessPrivilege 4048 wmic.exe Token: SeIncBasePriorityPrivilege 4048 wmic.exe Token: SeCreatePagefilePrivilege 4048 wmic.exe Token: SeBackupPrivilege 4048 wmic.exe Token: SeRestorePrivilege 4048 wmic.exe Token: SeShutdownPrivilege 4048 wmic.exe Token: SeDebugPrivilege 4048 wmic.exe Token: SeSystemEnvironmentPrivilege 4048 wmic.exe Token: SeRemoteShutdownPrivilege 4048 wmic.exe Token: SeUndockPrivilege 4048 wmic.exe Token: SeManageVolumePrivilege 4048 wmic.exe Token: 33 4048 wmic.exe Token: 34 4048 wmic.exe Token: 35 4048 wmic.exe Token: 36 4048 wmic.exe Token: SeIncreaseQuotaPrivilege 4336 WMIC.exe Token: SeSecurityPrivilege 4336 WMIC.exe Token: SeTakeOwnershipPrivilege 4336 WMIC.exe Token: SeLoadDriverPrivilege 4336 WMIC.exe Token: SeSystemProfilePrivilege 4336 WMIC.exe Token: SeSystemtimePrivilege 4336 WMIC.exe Token: SeProfSingleProcessPrivilege 4336 WMIC.exe Token: SeIncBasePriorityPrivilege 4336 WMIC.exe Token: SeCreatePagefilePrivilege 4336 WMIC.exe Token: SeBackupPrivilege 4336 WMIC.exe Token: SeRestorePrivilege 4336 WMIC.exe Token: SeShutdownPrivilege 4336 WMIC.exe Token: SeDebugPrivilege 4336 WMIC.exe Token: SeSystemEnvironmentPrivilege 4336 WMIC.exe Token: SeRemoteShutdownPrivilege 4336 WMIC.exe Token: SeUndockPrivilege 4336 WMIC.exe Token: SeManageVolumePrivilege 4336 WMIC.exe Token: 33 4336 WMIC.exe Token: 34 4336 WMIC.exe Token: 35 4336 WMIC.exe Token: 36 4336 WMIC.exe Token: SeIncreaseQuotaPrivilege 4336 WMIC.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.execmd.execmd.exedescription pid process target process PID 3232 wrote to memory of 4048 3232 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe wmic.exe PID 3232 wrote to memory of 4048 3232 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe wmic.exe PID 3232 wrote to memory of 4048 3232 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe wmic.exe PID 3232 wrote to memory of 4316 3232 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe cmd.exe PID 3232 wrote to memory of 4316 3232 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe cmd.exe PID 3232 wrote to memory of 4316 3232 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe cmd.exe PID 4316 wrote to memory of 4336 4316 cmd.exe WMIC.exe PID 4316 wrote to memory of 4336 4316 cmd.exe WMIC.exe PID 4316 wrote to memory of 4336 4316 cmd.exe WMIC.exe PID 3232 wrote to memory of 2204 3232 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe cmd.exe PID 3232 wrote to memory of 2204 3232 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe cmd.exe PID 3232 wrote to memory of 2204 3232 84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe cmd.exe PID 2204 wrote to memory of 4176 2204 cmd.exe WMIC.exe PID 2204 wrote to memory of 4176 2204 cmd.exe WMIC.exe PID 2204 wrote to memory of 4176 2204 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe"C:\Users\Admin\AppData\Local\Temp\84aac7290471d6aa883962c2e739b44adcea7f533cc0317e8d0d6f847def1f7a.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic os get Caption2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic path win32_VideoController get name"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic cpu get name"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic cpu get name3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\nJObCsNVlgTeMaPEZQleQYhYzRyWJjPjFilesize
72KB
MD52b8e1b75b4d4fdf0c640838191ac3946
SHA1dfac012ccaa015f6a9ec5bd1c55ffa7b8074fb7f
SHA25617a69481ffd684f025b0fe6b0f22529bd8454c49915e580da43fcb08a0c56e4e
SHA5123c4de03250813dc78b772cc7e3246ac2726c37fae00844bfceda683e05506b53ba7ea95a06e2929e8ec736ccd50a9138e9f6e3c80980ebde5ed7ac66f06cc038